Presentation is loading. Please wait.

Presentation is loading. Please wait.

The RV System Tutorial Patrick Meredith and Grigore Rosu joint work with Feng Chen, Dongyun Jin, Dennis Griffith, Michael Ilseman Runtime Verification,

Published byNorman Eaton Modified over 9 years ago

Similar presentations

Presentation on theme: "The RV System Tutorial Patrick Meredith and Grigore Rosu joint work with Feng Chen, Dongyun Jin, Dennis Griffith, Michael Ilseman Runtime Verification,"— Presentation transcript:

1 The RV System Tutorial Patrick Meredith and Grigore Rosu joint work with Feng Chen, Dongyun Jin, Dennis Griffith, Michael Ilseman Runtime Verification, Inc. University of Illinois

2 2 The RV System Combines Runtime Monitoring and Predictive Analysis 2 New Version of JavaMOPNew Version of jPredictor

3 Overview Monitoring RV-Monitor Demo RV-Monitor Techniques and Implementation –Monitor Synthesis –Parametric Monitoring –Optimizations Prediction RV-Predict Demo RV-Predict Techniques and Implementation –Sliced Causality –Pipeline –Race Prediction

4 Why Monitoring Monitoring is well-adopted in many engineering disciplines –Fuses, watchdogs, fire-alarms, etc. Monitoring adds redundancy –Increases reliability, robustness and confidence in correct behavior, reduces risk Provably correct systems can fail, too –Unexpected environment, wrong/strong assumptions, hardware or OS errors, etc.

5 Applications of Monitoring Debugging – Development – Error messages Testing – Development – Error messages Security/Reliability/Robustness/… –Production –Recovery mechanisms Programming Paradigm –Production –General actions

6 Runtime Monitoring Systems (a few of them) ≤ 2001 –MAC (UPenn), PAX (NASA), TimeRover (commercial) 2002-2004 –HAWK/Eagle (NASA), MOP (UIUC), POTA (UTA) ≥ 2005: –PQL (Stanford) –Tracematches (Oxford) –PTQL (Berkeley/Stanford/Novell) –Pal (UPenn) –RuleR (Manchester) –… many others

7 FailFast Iterator Vector v = new Vector(); Iterator i = v.iterator(); v.add(new Integer(2)); while (i.hasNext()) … Following code throws exception in Java (FailFast): FailFast: if the underlying vector is changed when an iterator is used for enumerating elements, the iterator fails. However …

8 MOP Example: Safe Enumeration No exception raised if one uses Enumeration instead of Iterator –Java language decision, showing that properties referring to sets of objects are important Easy to specify in JavaMOP: SafeEnum(Vector v, Enumeration+ e) { event create after(Vector v) returning(Enumeration e):... event updatesource after(Vector v) :... event next before(Enumeration e) :... ere : create next* updatesource+ next @match { System.out.println(“Failed Enumeration!"); } } > 250 AspectJ LOC generated …

9 Complexity of SafeEnum Tricky to check SafeEnum manually –Two counters needed, one in the vector (the current timestamp) and the other in the enumeration (the vector’s timestamp when creating the enumeration). –Accesses to vector / enumerator can be scattered all over the code, both in program and in libraries –Accesses to vector’s counter must be synchronized –Every implementation of the Enumeration interface should repeat the above work

10 Bug found in jHotDraw The underlying vector should not be changed when one of its enumerations is being used! Main Thread: Vector v = //initialization; … Enumeration e = v.elements(); … Object obj = e.nextElement(); … Task Thread: … v.remove(0); … Example of Unsafe Enumeration May cause unexpected behaviors, e.g., a NoSuchElement Exception or some errors later.

11 Demo cd RV/Tutorial/SafeEnum Generate monitor aspect code for SafeEnum Show size of the generated AspectJ code Weave program with monitor, using ajc Run resulting program

12 RV-Monitor (Based on Monitoring Oriented Programming - MOP) http://fsl.cs.uiuc.edu/mop A generic runtime verification framework - proposed in 2003 – RV’03, ICFEM’04, RV’05, CAV’05, TACAS’05, CAV’06, CAV’07, OOPSLA’07, ASE’08, RTSS’08, AOSD’08,TACAS’09, …

13 What RV-Monitor Supports Observe a run of a system –Requires instrumentation –Can be offline or online Check it against desired properties –Specified using patterns or in a logical formalism React/Report (if needed) –Error messages –Recovery mechanisms –General code

14 RV-Monitor Model Program Execution Abstract Trace M1M1 M2M2 M3M3 … Monitors Observation/Abstraction Verification Action Monitors verify abstract traces against desired properties; can be dynamically created or destroyed

15 Overview Monitoring RV-Monitor Demo RV-Monitor Techniques and Implementation –Monitor Synthesis –Parametric Monitoring –Optimizations Prediction RV-Predict Demo RV-Predict Techniques and Implementation –Sliced Causality –Pipeline –Race Prediction

16 Overview Monitoring RV-Monitor Demo RV-Monitor Techniques and Implementation –Monitor Synthesis –Parametric Monitoring –Optimizations Prediction RV-Predict Demo RV-Predict Techniques and Implementation –Sliced Causality –Pipeline –Race Prediction

17 Monitor Synthesis Program Execution Abstract Trace M1M1 M2M2 M3M3 … Monitors Observation/Abstraction Verification Action How do we generate efficient monitors?

18 MOP: Extensible Logic Framework Generic in specification formalisms Logic plugin: plugable monitor synthesis components for different logics Already provides plugins for many logics –FSM (Finite State Machine), ERE (extended regular expressions), PTLTL (Past-time LTL), FTLTL (Future- time LTL), ATL (Allen temporal logic), JML (Java modeling language), PtCaRet (Past-time Call/Return), CFG (Context-free grammars), … The desired property can be arbitrarily complex: Raw specifications

19 FSM Plugin Finite State Machine Easy to use, yet powerful Many approaches/users encode important properties directly in finite state machines, e.g., Typestates Monitoring FSM –Direct translation from an FSM specification to a monitor

20 ERE Plugin Extended Regular Expressions Regular expressions –Widely used in programming, easy to master for ordinary programmers –Existing monitor synthesis algorithm Extended regular expressions –Extend regular exps with complement (negation) –Specify properties non-elementarily more compactly –More complicated to monitor

21 LTL Plugins Linear Temporal Logic MOP includes both a past-time plugin (PTLTL) and an over-all LTL plugin for LTL PTLTL uses a dynamic programming algorithm, low resources, suitable for hardware LTL uses a translation through alternating automata. Semantics of past is different than PTLTL

22 22 CFG Plugins Context-Free Grammar

23 23 GLR Parsing Yields CFG Monitors Reads input Left to right, produces Right-most derivation; table driven Bottom-up parsing –keeps stack with the current, and previous states Efficient Handles all context-free grammars, even those with ambiguity Makes it a good candidate for CFG monitor synthesis!

24 Overview Monitoring RV-Monitor Demo RV-Monitor Techniques and Implementation –Monitor Synthesis –Parametric Monitoring –Optimizations Prediction RV-Predict Demo RV-Predict Techniques and Implementation –Sliced Causality –Pipeline –Race Prediction

25 Demo FSM Demo ERE Demo CFG Demo Show the plugin output for the SafeEnum example

26 MOP Monitoring Model Program Execution Abstract Trace M1M1 M2M2 M3M3 … Monitors Observation/Abstraction Verification Action Monitors can be dynamically created or destroyed Parametric monitoring

27 Parametric Properties Needed, but hard to monitor efficiently SafeEnum(Vector v, Enumeration+ e) { event create after(Vector v) returning(Enumeration e):... event updatesource after(Vector v) :... event next before(Enumeration e) :... ere : create next* updatesource+ next @match { System.out.println(“Failed Enumeration!"); } } Parameters

28 Safe Enumeration as Parametric Property Usage pattern (using regular expressions) of three events –updatesource(v) : change vector v –create(v,e) : create enumeration e from vector v –next(e) : use enumeration e create next * updatesource + next 1 2 create updatesource next 3 0 Violation state Monitor

29 Monitoring Safe Enum Main Thread: Vector v = //initialization; … Enumeration e = v.elements(); … Object obj = e.nextElement(); … Task Thread: … v.remove(0); … createupdatesourcenext … 1 2 create updatesource next 3 0

30 Lack of Parameters Leads to False Alarms Main Thread: Vector v = //initialization; … Enumeration e = v.elements(); … Object obj = e.nextElement(); … Task Thread: … v.remove(0); … createupdatesourcenext … Appear to be a violation but it is not; false alarm! v2.remove(0);

31 Adding Parameters to Events create(v, e)update(v2)next(e) … … Parametric traces: traces containing events with parameters; Abundant in practice, especially in object-oriented programs Main Thread: Vector v = //initialization; … Enumeration e = v.elements(); … Object obj = e.nextElement(); … Task Thread: … v2.remove(0); … update(v) v.remove(0);

32 Checking Parametric Traces updatesource(v1)create (v1,e1)updatesource(v2)next(e1)create(v1,e2)updatesource(v1)next(e1) parametric trace 12 create updatesource next 3 0 non-parametric monitor parametric monitor

33 Parametric Monitors Other approaches: Monolithic (centralized) monitors –Tracematches [Oxford], Program Query Language (PQL) [Stanford], Eagle [NASA], etc. –Bound to specific formalisms/checking mechanisms –Limited expressiveness, specific to application domains Our solution: decentralized monitors –Formalism-independent, works with any formalism More expressive, adaptive to different domains –Facilitates optimization (separation of concerns) Evaluation shows better performance

34 next Parametric Trace Slicing updatesource updatesource(v1) createupdatesource(v2)nextcreate(v1,e2) updatesource next(e1) v1, e1v1, e2v2, e1 v2, e2 create (v1,e1) next(e1) updatesourcecreateupdatesourcenext For given parameters (v, e) trace slice updatesource(v1)

35 Naive monitoring of Parametric Traces Every parametric trace contains multiple non- parametric trace slices, each corresponding to a particular parameter binding v1, e1v1, e2 1 2 create updatesource next 3 01 2 create updatesource next 3 0

36 Parametric Trace Slicing - Challenges update(v1)createEnum(v1,e1)update(v2)useEnum(e1)createEnum(v1,e2)update(v1)useEnum(e1) v1, e1v1, e2v2, e1 update(v1)createEnum(v1,e1)useEnum(e1)update(v1)useEnum(e1)updatecreateEnumuseEnumupdateuseEnumupdatecreateEnumupdateuseEnum How to do it efficiently? For given parameters (v, e) What if the trace is not complete?

37 Online: process events as receiving them and do not look back for the previous events Efficient –Scan the trace once –Events discarded immediately after being processed What information should be kept for the unknown future? Online Parametric Trace Slicing

38 Overview Monitoring RV-Monitor Demo RV-Monitor Techniques and Implementation –Monitor Synthesis –Parametric Monitoring –Optimizations Prediction RV-Predict Demo RV-Predict Techniques and Implementation –Sliced Causality –Pipeline –Race Prediction

39 Slicing Example update(v1)createEnum(v1,e1)update(v2)useEnum(e1)createEnum(v1,e2) v2, e1v1v1, e1v1, e2v2 update createEnumupdate createEnumuseEnum e1 useEnum For given parameters (v, e) Optimization: based on static property analysis, generate specialized slicing code for the given specification

40 40 RV-Monitor Performance Comparison of Tracematches (TM), JavaMOP (MOP), and RV: Average percent runtime overhead

41 Decentralized Monitoring Monitor instances (one per parameter instance) M  p1 M  p2 M  p3 … M  p1000 A monitor instance is regarded as a black box; It can be any code (even a Raw specification monitor) handling the corresponding trace.

42 Indexing … The problem: how can we retrieve all needed monitor instances efficiently? M  p1 M  v,e1 M  v,e2 … M  p1000 updatesource(v) Naïve implementation very inefficient (both time- and memory-wise)

43 43 Decentralized Indexing Monitors scattered all over the program Monitor states piggybacked to object states Weak references SafeEnum events create(v,e) udatesource(v) next(e)

44 Overview Monitoring RV-Monitor Demo RV-Monitor Techniques and Implementation –Monitor Synthesis –Parametric Monitoring –Optimizations Prediction RV-Predict Demo RV-Predict Techniques and Implementation –Sliced Causality –Pipeline –Race Prediction

45 45 Why Prediction Concurrent programs are hard to analyze –Model checking: number of interleavings is prohibitively large –Testing: interleavings depend on environment Combine dynamic and static methods to find bad behaviors near correct executions 45

46 46 Our Solution Sliced Causality –General purpose technique to predict (bad) behaviors from correct runs –Sound: No false alarms RV-Predict –Tool implementing Sliced Causality –Allows for prediction of any property for which an algorithm exists –Better than tools specialized simply for data race or atomicity violations 46

47 47 Prediction Example

48 48 Prediction Example Buggy S 4 can be executed before S 1 Low possibility to hit error in testing 48 Can we predict the error even when the above execution is observed? Yes! But not in the traditional way

49 49 Special Case: Data Races Our techniques work for any behavioral property One of the simplest properties is race detection –Two accesses to a shared variable can take place concurrently –At least one of the accesses is a write

50 Overview Monitoring RV-Monitor Demo RV-Monitor Techniques and Implementation –Monitor Synthesis –Parametric Monitoring –Optimizations Prediction RV-Predict Demo RV-Predict Techniques and Implementation –Sliced Causality –Pipeline –Race Prediction

51 Overview Monitoring RV-Monitor Demo RV-Monitor Techniques and Implementation –Monitor Synthesis –Parametric Monitoring –Optimizations Prediction RV-Predict Demo RV-Predict Techniques and Implementation –Sliced Causality –Pipeline –Race Prediction

52 52 Predictive Runtime Analysis

53 53 Predictive Runtime Analysis

54 54 Predictive Runtime Analysis

55 55 Predictive Runtime Analysis More relaxed causal model yields more inferred executions

56 56 Traditional Predictive Runtime Analysis: Happens-Before 56

57 57 Happens-Before Works... If Lucky

58 58 Happens-Before Works... If Lucky

59 59 Happens-Before Limitations

60 60 Sliced Causality Relaxes the Happens-Before causal model –Formally proved in [chen-rosu-07] How? Focus on the property Use static information about the program Remove events and causalities irrelevant to the property –Smaller and more relaxed causal model –(Exponentially) more inferred executions –Better predictive capability 60

61 61 Sliced Causality Start with those events relevant to the property Add events on which they are control dependent (transitively, intrathread) Add events on which they are data dependent (transitively, interthread) 61

62 62 Static Information: Control Scope S 2 is in the control scope of S 1 if its execution depends on a choice at S 1 Extends to other control statements –break/continue, return, exceptions 62

63 63 Slice Causality Works!

64 64 Slice Causality Works!

65 65 No False Alarms ☺

66 66 No False Alarms ☺

67 Overview Monitoring RV-Monitor Demo RV-Monitor Techniques and Implementation –Monitor Synthesis –Parametric Monitoring –Optimizations Prediction RV-Predict Demo RV-Predict Techniques and Implementation –Sliced Causality –Pipeline –Race Prediction

68 68 RV-Predict Pipeline

69 69 RV-Predict Pipeline

70 70 RV-Predict Pipeline

71 71 RV-Predict Pipeline

72 72 RV-Predict Pipeline

73 73 RV-Predict Pipeline

74 74 RV-Predict Pipeline

75 Overview Monitoring RV-Monitor Demo RV-Monitor Techniques and Implementation –Monitor Synthesis –Parametric Monitoring –Optimizations Prediction RV-Predict Demo RV-Predict Techniques and Implementation –Sliced Causality –Pipeline –Race Prediction

76 76 Data Race Prediction Consider all pairs of accesses in the trace –We actually do something smarter Check if either access is a write –We are not worried about read-read races Check if they have incomparable VCs –Incomparable VCs means accesses could be reordered If they have different lock sets then race found 76

77 77 Incremental Race Prediction Take advantage of the fact that traces are totally ordered wrt themselves Begin with a search state for every pair of threads in a set S –Consider each state in S, check for race If e1 < e2, add a new state with position in t1 advanced If e1 > e2, add a new state with position in t2 advanced If e1 <> e2, add two new states 77

78 78 Incremental Data Race Detection State 1 e1e1 e2e2 State 2 e3e3 e2e2 e1 < e2 e3 <> e2 both reads State 1 e5e5 e2e2 e3e3 e4e4 e5 > e2 State 1 e5e5 e4e4 e3 <> e4 e4 write with different lock sets race! This generalizes to other prediction algorithms!

79 79 RV-Predict Performance jPredictor vs. RV-Predict

80 Conclusion RV-Monitor is a generic yet efficient monitoring system –Extensible logic framework: FSM, ERE, PTLTL, FTLTL, LTL, CFG, PTCaRet, … RV-Predict provides very efficient causal predict of generic properties –Race detection, atomicity violations, monitoring properties

Download ppt "The RV System Tutorial Patrick Meredith and Grigore Rosu joint work with Feng Chen, Dongyun Jin, Dennis Griffith, Michael Ilseman Runtime Verification,"

Similar presentations

Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.

Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.
A Survey of Runtime Verification Jonathan Amir 2004.

A Survey of Runtime Verification Jonathan Amir 2004.
Automated Evaluation of Runtime Object States Against Model-Level States for State-Based Test Execution Frank(Weifeng) Xu, Gannon University Dianxiang.

Automated Evaluation of Runtime Object States Against Model-Level States for State-Based Test Execution Frank(Weifeng) Xu, Gannon University Dianxiang.
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
Runtime Verification Ali Akkaya Boğaziçi University.

Runtime Verification Ali Akkaya Boğaziçi University.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
RV: A Runtime Verification Framework for Monitoring, Prediction and Mining Patrick Meredith Grigore Rosu University of Illinois at Urbana-Champaign (UIUC)

RV: A Runtime Verification Framework for Monitoring, Prediction and Mining Patrick Meredith Grigore Rosu University of Illinois at Urbana-Champaign (UIUC)
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
The Big Picture Chapter 3. We want to examine a given computational problem and see how difficult it is. Then we need to compare problems Problems appear.

The Big Picture Chapter 3. We want to examine a given computational problem and see how difficult it is. Then we need to compare problems Problems appear.
/ PSWLAB Efficient Decentralized Monitoring of Safety in Distributed System K Sen, A Vardhan, G Agha, G Rosu 20 th July 2007 Presented by.

/ PSWLAB Efficient Decentralized Monitoring of Safety in Distributed System K Sen, A Vardhan, G Agha, G Rosu 20 th July 2007 Presented by.
1 Formal Methods in SE Qaisar Javaid Assistant Professor Lecture 05.

1 Formal Methods in SE Qaisar Javaid Assistant Professor Lecture 05.
Automated creation of verification models for C-programs Yury Yusupov Saint-Petersburg State Polytechnic University The Second Spring Young Researchers.

Automated creation of verification models for C-programs Yury Yusupov Saint-Petersburg State Polytechnic University The Second Spring Young Researchers.
An Automata-based Approach to Testing Properties in Event Traces H. Hallal, S. Boroday, A. Ulrich, A. Petrenko Sophia Antipolis, France, May 2003.

An Automata-based Approach to Testing Properties in Event Traces H. Hallal, S. Boroday, A. Ulrich, A. Petrenko Sophia Antipolis, France, May 2003.
272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 13: Runtime Monitoring.

272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 13: Runtime Monitoring.
Atomicity in Multi-Threaded Programs Prachi Tiwari University of California, Santa Cruz CMPS 203 Programming Languages, Fall 2004.

Atomicity in Multi-Threaded Programs Prachi Tiwari University of California, Santa Cruz CMPS 203 Programming Languages, Fall 2004.
C. FlanaganSAS’04: Type Inference Against Races1 Type Inference Against Races Cormac Flanagan UC Santa Cruz Stephen N. Freund Williams College.

C. FlanaganSAS’04: Type Inference Against Races1 Type Inference Against Races Cormac Flanagan UC Santa Cruz Stephen N. Freund Williams College.
Automatically Extracting and Verifying Design Patterns in Java Code James Norris Ruchika Agrawal Computer Science Department Stanford University {jcn,

Automatically Extracting and Verifying Design Patterns in Java Code James Norris Ruchika Agrawal Computer Science Department Stanford University {jcn,
© 2006 Pearson Addison-Wesley. All rights reserved2-1 Chapter 2 Principles of Programming & Software Engineering.

© 2006 Pearson Addison-Wesley. All rights reserved2-1 Chapter 2 Principles of Programming & Software Engineering.
Advances in Language Design

Advances in Language Design
Modern Concurrency Abstractions for C# by Nick Benton, Luca Cardelli & C´EDRIC FOURNET Microsoft Research.

Modern Concurrency Abstractions for C# by Nick Benton, Luca Cardelli & C´EDRIC FOURNET Microsoft Research.

Similar presentations

Ads by Google